[QSA-0220263]
Munge vulnerability

Qlustar Security Advisory 0220263

February 20th, 2026

Summary:

Munge vulnerability

Package(s)       : nvidia-graphics-drivers-570
                   qlustar-module-nvidia-570-noble-amd64-14.0
Qlustar releases : 13, 14
Affected versions: All versions prior to this update
Vulnerability    : Privilege escalation
Problem type     : local
Qlustar-specific : no
CVE Id(s)        : CVE-2026-25506

Relevant to Qlustar 13 and 14

Titouan Lazard discovered that a local attacker can exploit a buffer overflow vulnerability in munge to retrieve cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary munge credentials to impersonate any user (including root) to services that rely on munge for authentication. A more detailed analysis can be found here.

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 13 and 14

munge                                       0.5.18-ql.1